Prepping the front-line troops

Jun 18, 2001

Consider it a sign of the times that one of the most visible slogans atthe Social Security Administration has nothing to do with retirement checksor supplemental income. Throughout the agency nowadays, people routinelycome to work wearing a large button that reads: "Social Security Administration:Security is Our Middle Name."

This new agencywide push is meant to reinforce the notion that withoutall employees taking the proper security measures, the organization remainsvulnerable to premeditated attacks on its information systems.

With a large majority of agency employees now using computers in theirjobs and increased connectivity to the outside world via the Internet, thefederal government has been aggressively escalating its efforts to educateend users on security best practices.

"Security doesn't just belong in one office in the organization, itbelongs everywhere," said Tom Staples, associate commissioner for financialpolicy and operations at SSA. The agency attacks the problem on a numberof fronts, offering not just computer-based training and classroom instruction,but a poster-of-the-month program, regular e-mail messages, screen banners,mouse pads and bookmarks, all lauding the best practices in everyday security.

"To have an effective security program, awareness of it and sensitivityto it has to permeate throughout your organization," he said. "And thatmeans constant, never-ending and different approaches that catch people'sattention."

Although security awareness training has been an annual requirementfor federal agencies since the passage of the 1987 Computer Security Act,agency officials are boosting their programs in light of new threats andvulnerabilities that have surfaced in recent years.

"It is far more critical today to have computer security awareness amongall employees and related training for employees," said Shirley Malia, apolicy analyst for the Critical Infrastructure Assurance Office. "And thereason is that systems are so open today. They're connected to the Internet,they're connected to partners and they're connected to outside constituents."

To add to the problems, employees frequently don't realize they havea critical role to play. "The attitude still largely within the rank andfile is, "Well, somebody is taking care of security for me,'" said RandyRichmond, program manager for Verizon Federal Network Systems.

And as agencies have tightened overall information technology security,hackers have looked for new ways to breach the IT fortress and found thatemployees often unwittingly provide an easy point of entry.

Among hackers' strategies is something called "social engineering,"which does not involve sophisticated programming skills but rather preyson human weaknesses. A hacker simply picks up the phone and, posing as,say, a member of the security office, cites a problem and asks for the employee'spassword or computer setup. Federal employees, trained to be increasinglyhelpful with customers and colleagues, tend to take the caller at his wordand comply more often than agencies like to admit.

"Employee practices concerning security can be very lax if there isn'tan overall understanding and reinforcement of the issues," Malia said, addingthat scenario-based training can help employees learn how to respond insuch situations. But, she said, education must go hand-in-hand with goodpolicies.

"Agencies need a policy that says very strongly: "Don't ever give outyour password, even if you know for a fact who the person is on the otherline,'" she said.

Security experts note that the combination of increased vulnerabilityand employee naivet& Egrave; or lethargy can be disastrous for an agency. "All ittakes is one mistake," said Terry Antonacci, director of the governmentservices group at Netsec, a Herndon, Va.-based information security companythat specializes in training computer users. "All it takes is one employeeto decide not to use proper procedures, and that's where we hear the storiesof hackers getting in and shutting a system down or manipulating data orstealing data."

Varied Tactics

To combat the new threats, agencies are using a number of approachesto build security awareness. For example, the Treasury Department is developinga Web-based awareness course that addresses handling passwords, virusesand other critical topics. The agency will make the course available onboth the Internet and TreasNet, the agency's intranet.

The Internal Revenue Service and the Customs Service also have developedonline training modules to help reach a highly distributed workforce. TheAir Force relies heavily on classroom instruction and, like many agencies,has turned to a third-party provider, in this case Secure.Info Corp., SanAntonio, to bring the latest and greatest knowledge about threats and practicesto end-of-line employees.

Most agencies use a mix of computer-based training, classes and seminars,and one-on-one sessions between employees and a security officer or manager.Still others are incorporating a few of their own creative ideas.

George Bieber, a security specialist at the Defense Information SystemsAgency, has developed a simulated scenario program called CyberProtect thatallows both security specialists and regular employees within DISA and otherDefense Department agencies to try their hand at combating security threats before being forced to confront them in the real world, with its realconsequences.

The Commerce Department holds a security awareness fair once a yearin its headquarters lobby. At SSA, a banner citing different practices andtips runs across the computer screens of employee desktops throughout theday. And the National Security Agency regularly tests its employees on securitypractices. Those who fail lose their computer access privileges until theycan pass the test.

All of the efforts are solid and effective, say observers. But theyalso state that the "hows" of a good security awareness program don't matterquite as much as the policy behind it. For starters, the effort requirestop-down buy-in; otherwise, employees won't think it important enough togive it their full attention. In addition, managers need to lay out a soliddescription of the goal "in order for employees to understand the articulationand description of what they should be learning," Malia said.

Carmen Logan, a telecommunications specialist in security at DISA,said that although individual offices can create and oversee awareness trainingand programs, the effort itself must be centralized. "It is important tohave at least one single voice that works with other organizations," shesaid.

As part of DISA's Information Assurance Division, Logan's group managesthe internal information assurance program for the agency, but also specifiesrequirements for information assurance training for all DISA employees,certifies employees in security training and writes policy.

Mike Lombard, IT security manager for Commerce, said an effective programneeds to be tied to the agency's mission and business requirements, andthe training needs to build knowledge.

"We find that most employees are much more willing and cooperative onceyou explain the situation to them," Lombard said. "So in an awareness trainingprogram, it's not enough to simply say that your password has to be of theseparticular constructs. They need to understand why."

He added that awareness measures also require enough variety to accountfor the different roles that each employee plays in the agency. A data-entryclerk may simply need the underlying reasons for a password explained, whilea Web developer might be better served if he or she can view an actual demonstrationof a hacker attack on a password and see how easy it is to break a weakpassword.

"A lot of the vulnerabilities stem from the fact that you've got peoplein the program areas who have assumed IT responsibilities, and while they'revery good in the program area, they're not always as knowledgeable in theIT area," Lombard said. "And if we're going to use people in that fashion,we have no choice  they have to have the appropriate level of trainingto do the job in an appropriate fashion."

Finally, a security awareness policy needs to address the fact thatafter initial training, employees often forget or fail to incorporate thenew practices. This is one reason that many agencies are incorporating constant,ubiquitous marketing efforts such as newsletters and e-mail bulletins thatkeep awareness measures constantly at the forefront of employees' minds.

Hayes is a freelance writer based in Stuarts Draft, Va. She can be reachedat hbhayes@cfw.com.